You know all the security advice. You need to have a solid firewall. But it’s not enough to defend the perimeter anymore, so you need total visibility into your internal network as well. And don’t forget about antivirus. Better make sure it’s all in working order by frequent pen testing too!
The problem, of course, is that all that costs money — money that many organizations have to be judicious about spending. Rather than yell at you for not buying things you can’t afford, we decided to talk to security experts to find out how they approach infosec triage: how they decide where to direct limited resources, and what steps can be taken for little or no money. We also got a few tips on helping management “discover” money in the budget that can be put towards cyber security.
1. Figure out what data needs real protection
Not everything on your servers is gold, and not everything requires the same level of defense. “Some of your data isn’t important,” says Todd Millecam, CEO and DevOps consultant at IT services provider SWYM Systems. “Things like user order numbers and other info relevant to internal processing are non-important. Payment information, contact information and any customer personal information should be treated as important. The important data should be kept on a different data store and that should be treated as your sysadmin’s personal pet. The non-important data is the cattle.”
In general, says Stu Bradley, VP of cybersecurity solutions at SAS, “Start with your company’s business goals in mind. Then figure what the most important assets are that support those goals. For example, if you’re a retailer, it’s imperative to protect customers’ payment data and other personally identifiable information. It’s equally important that customers can securely transact business on your website at all times to drive revenue.”